From 3d79dcbda0ece367e5c311934af89fa0a0fe43b1 Mon Sep 17 00:00:00 2001 From: Yih-Dar <2521628+ydshieh@users.noreply.github.com> Date: Wed, 28 Aug 2024 18:15:58 +0200 Subject: [PATCH] update push CI workflow files for security (#33142) * update for security 1 * update for security 2 * update for security 3 * update for security 4 * update for security 5 --------- Co-authored-by: ydshieh --- .github/workflows/self-push-amd.yml | 37 +++++++++------- .github/workflows/self-push.yml | 67 +++++++++++++++++------------ 2 files changed, 60 insertions(+), 44 deletions(-) diff --git a/.github/workflows/self-push-amd.yml b/.github/workflows/self-push-amd.yml index 6d046b1478..6931c2f3ea 100644 --- a/.github/workflows/self-push-amd.yml +++ b/.github/workflows/self-push-amd.yml @@ -64,23 +64,24 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} test_map: ${{ steps.set-matrix.outputs.test_map }} + env: + # `CI_BRANCH_PUSH`: The branch name from the push event + # `CI_BRANCH_WORKFLOW_RUN`: The name of the branch on which this workflow is triggered by `workflow_run` event + # `CI_SHA_PUSH`: The commit SHA from the push event + # `CI_SHA_WORKFLOW_RUN`: The commit SHA that triggers this workflow by `workflow_run` event + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: # Necessary to get the correct branch name and commit SHA for `workflow_run` event # We also take into account the `push` event (we might want to test some changes in a branch) - name: Prepare custom environment variables shell: bash - # `CI_BRANCH_PUSH`: The branch name from the push event - # `CI_BRANCH_WORKFLOW_RUN`: The name of the branch on which this workflow is triggered by `workflow_run` event # `CI_BRANCH`: The non-empty branch name from the above two (one and only one of them is empty) - # `CI_SHA_PUSH`: The commit SHA from the push event - # `CI_SHA_WORKFLOW_RUN`: The commit SHA that triggers this workflow by `workflow_run` event # `CI_SHA`: The non-empty commit SHA from the above two (one and only one of them is empty) run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH @@ -159,6 +160,12 @@ jobs: container: image: huggingface/transformers-pytorch-amd-gpu-push-ci # <--- We test only for PyTorch for now options: --device /dev/kfd --device /dev/dri --env ROCR_VISIBLE_DEVICES --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + env: + # For the meaning of these environment variables, see the job `Setup` + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: # Necessary to get the correct branch name and commit SHA for `workflow_run` event # We also take into account the `push` event (we might want to test some changes in a branch) @@ -166,11 +173,7 @@ jobs: shell: bash # For the meaning of these environment variables, see the job `Setup` run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH @@ -256,6 +259,12 @@ jobs: # run_tests_torch_cuda_extensions_single_gpu, # run_tests_torch_cuda_extensions_multi_gpu ] + env: + # For the meaning of these environment variables, see the job `Setup` + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: - name: Preliminary job status shell: bash @@ -271,11 +280,7 @@ jobs: shell: bash # For the meaning of these environment variables, see the job `Setup` run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH diff --git a/.github/workflows/self-push.yml b/.github/workflows/self-push.yml index 31f68c291b..b328f65d34 100644 --- a/.github/workflows/self-push.yml +++ b/.github/workflows/self-push.yml @@ -40,23 +40,24 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} test_map: ${{ steps.set-matrix.outputs.test_map }} + env: + # `CI_BRANCH_PUSH`: The branch name from the push event + # `CI_BRANCH_WORKFLOW_RUN`: The name of the branch on which this workflow is triggered by `workflow_run` event + # `CI_SHA_PUSH`: The commit SHA from the push event + # `CI_SHA_WORKFLOW_RUN`: The commit SHA that triggers this workflow by `workflow_run` event + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: # Necessary to get the correct branch name and commit SHA for `workflow_run` event # We also take into account the `push` event (we might want to test some changes in a branch) - name: Prepare custom environment variables shell: bash - # `CI_BRANCH_PUSH`: The branch name from the push event - # `CI_BRANCH_WORKFLOW_RUN`: The name of the branch on which this workflow is triggered by `workflow_run` event # `CI_BRANCH`: The non-empty branch name from the above two (one and only one of them is empty) - # `CI_SHA_PUSH`: The commit SHA from the push event - # `CI_SHA_WORKFLOW_RUN`: The commit SHA that triggers this workflow by `workflow_run` event # `CI_SHA`: The non-empty commit SHA from the above two (one and only one of them is empty) run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH @@ -135,6 +136,12 @@ jobs: container: image: huggingface/transformers-all-latest-gpu-push-ci options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + env: + # For the meaning of these environment variables, see the job `Setup` + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: # Necessary to get the correct branch name and commit SHA for `workflow_run` event # We also take into account the `push` event (we might want to test some changes in a branch) @@ -142,11 +149,7 @@ jobs: shell: bash # For the meaning of these environment variables, see the job `Setup` run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH @@ -228,6 +231,12 @@ jobs: container: image: huggingface/transformers-all-latest-gpu-push-ci options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + env: + # For the meaning of these environment variables, see the job `Setup` + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: # Necessary to get the correct branch name and commit SHA for `workflow_run` event # We also take into account the `push` event (we might want to test some changes in a branch) @@ -235,11 +244,7 @@ jobs: shell: bash # For the meaning of these environment variables, see the job `Setup` run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH @@ -321,6 +326,12 @@ jobs: container: image: huggingface/transformers-pytorch-deepspeed-latest-gpu-push-ci options: --gpus 0 --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + env: + # For the meaning of these environment variables, see the job `Setup` + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: # Necessary to get the correct branch name and commit SHA for `workflow_run` event # We also take into account the `push` event (we might want to test some changes in a branch) @@ -328,11 +339,7 @@ jobs: shell: bash # For the meaning of these environment variables, see the job `Setup` run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH @@ -411,6 +418,12 @@ jobs: container: image: huggingface/transformers-pytorch-deepspeed-latest-gpu-push-ci options: --gpus all --shm-size "16gb" --ipc host -v /mnt/cache/.cache/huggingface:/mnt/cache/ + env: + # For the meaning of these environment variables, see the job `Setup` + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: # Necessary to get the correct branch name and commit SHA for `workflow_run` event # We also take into account the `push` event (we might want to test some changes in a branch) @@ -418,11 +431,7 @@ jobs: shell: bash # For the meaning of these environment variables, see the job `Setup` run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH @@ -500,6 +509,12 @@ jobs: run_tests_torch_cuda_extensions_single_gpu, run_tests_torch_cuda_extensions_multi_gpu ] + env: + # For the meaning of these environment variables, see the job `Setup` + CI_BRANCH_PUSH: ${{ github.event.ref }} + CI_BRANCH_WORKFLOW_RUN: ${{ github.event.workflow_run.head_branch }} + CI_SHA_PUSH: ${{ github.event.head_commit.id }} + CI_SHA_WORKFLOW_RUN: ${{ github.event.workflow_run.head_sha }} steps: - name: Preliminary job status shell: bash @@ -513,11 +528,7 @@ jobs: shell: bash # For the meaning of these environment variables, see the job `Setup` run: | - CI_BRANCH_PUSH=${{ github.event.ref }} CI_BRANCH_PUSH=${CI_BRANCH_PUSH/'refs/heads/'/''} - CI_BRANCH_WORKFLOW_RUN=${{ github.event.workflow_run.head_branch }} - CI_SHA_PUSH=${{ github.event.head_commit.id }} - CI_SHA_WORKFLOW_RUN=${{ github.event.workflow_run.head_sha }} echo $CI_BRANCH_PUSH echo $CI_BRANCH_WORKFLOW_RUN echo $CI_SHA_PUSH